FTC Creates De-Facto Legal Requirements for Credential Stuffing & Account Takeover

The FTC is sending a message that businesses will no longer be able to play the victim-card. Instead, they are responsible for protecting their customers from credential stuffing.

Three years ago, a company called TaxSlayer became a victim of a credential stuffing attack.  While that seems like old news, the U.S. Federal Trade Commission (FTC) opened an investigation of their security practices and the enforcement case requires compliance over the next 20 years.

While credential stuffing attacks are becoming increasingly common, this FTC case investigating TaxSlayer LLC is the first of its kind, but there are more cases to come where companies are being held responsible for protecting their customers.

The protection of customers means basic security protection including preventing account takeover (ATO) via credential stuffing by employing various security layers including:

What is credential stuffing?

It all starts with compromised credentials but here is a quick summary:

  • Due to data leaks and massive data beaches, there are billions of compromised credentials being traded and sold on the dark web and public Internet.
  • Most people reuse passwords and user names across multiple websites and hackers take advantage of this by testing out the exposed credentials across different websites.
  • After the hackers have a list of exposed credentials, they attack manually or with anonymous bot networks: bot attacks from seemingly innocuous IP addresses can go undetected by security (known as credential stuffing).
  • These attacks test the stolen credentials against a public-facing login form. Hundreds of thousands of bots can try to infiltrate user accounts using stolen credentials.

 

The FTC is Setting the Precedence with TaxSlayer

TaxSlayer is an online tax preparation service with sensitive personally identifiable information (PII) and financial data in their customer accounts.

The FTC complaint outlines that TaxSlayer operated a browser-based and mobile tax return service where users created accounts and included PII data and financial data from bank accounts to credit card numbers.

From Oct to Dec 2015, a massive credential stuffing attack was used against the TaxSlayer website and the hackers accessed nearly 9,000 customer accounts. Once the cybercriminals gained access to the accounts, they filed fraudulent returns with payments redirected to the hackers. Once TaxSlayer launched MFA, the attack ceased. A user complaint in January 2016 alerted TaxSlayer of the attack.

The FTC cited that TaxSlayer had failed to adhere to the Privacy Rule and the Safeguards Rule of the Gramm–Leach–Bliley Act (GLBA). The GLBA is a data privacy statute for financial institutions or businesses that are engaged in financial activities.  This can be any company that deals with large financial transactions, even tax returns, car loans, credit cards, etc.

The FTC cited that TaxSlayer failed the “Safeguards Rule” which requires businesses to:

  • Have a comprehensive written information security program
  • Conduct security assessments
  • Design and implement information safeguards to control the risks identified during the assessments

TaxSlayer allegedly failed to have a written information security program until November 2015 and failed to conduct a risk assessment, which would have identified reasonably foreseeable internal and external risks to the security. The FTC also cites that credential stuffing attacks have become common and foreseeable.

To summarize, the FTC has effectively created a new legal mandate to detect and prevent credential stuffing attacks.

They also imply reasonable login standard security practices that many security experts recommend such as:

  • Email validation upon account creation
  • Strong password requirements
  • Risk–based authentication methods (2FA or MFA)
  • Notification to customers if information has changed on their account
  • Basic tools to prevent authentication via credential stuffing (like compromised credential screening)

 

The impact of credential stuffing and ATO

Businesses across the globe are struggling with credential stuffing and ATO attacks.  It is estimated that credential stuffing bots access 3-8% of the target accounts using compromised credentials from the dark web.  According to a study by Shape Security, up to 90% of traffic to enterprise login forms is a result of these types of attacks.

Some businesses are leveraging 2FA or MFA to mitigate the risk, but some have seen customer logins decline as a result of adding additional steps to the authentication process.  It is an excellent safeguard but places the burden of additional authentication on the user so some businesses have made it optional for their customers.

Other businesses are leveraging proactive compromised credential screening which can be less intrusive in the customer login process.  Compromised credential screening works when someone logins in to their account and in milliseconds, an API scans a backend database of billions credentials to determine if their credentials have already been compromised.  If they are found to be compromised, that business can force a password reset to secure the account.

Many businesses are implementing both MFA and compromised credential screening as there have been recent cases where hackers have been able to access accounts despite MFA safeguards.

 

Summary

Any business that is subject to GLBA or that holds sensitive customer information, and may be subject to the same scrutiny as TaxSlayer when they are the victim of a credential stuffing attack.

Customer security starts with account creation and login. If you fail your customers there, you fail everywhere else.